09-08-2022 01:12 AM
Hello Experts
I have a customer that has a Firepower Deployment and we have integrated into ISE using PXGrid. We have also created an AD Realm and integrated this via LDAP.
VPN authentication is making use of a Certificate and when a user logs on or off we can see the User Activity in the FMC under the User Activity but this is mapped to Discovered Identity instead of the AD Realm. We have tried multiple options in the certificate to try and match it against the AD Realm but this doesn't work. If we change the VPN Authentication type to AAA-only or AAA & Certificate then the user is correctly mapped to the AD Realm. The client does not want to make this change on the VPN as he does not want the users to have to enter credentials when accessing the VPN.
This is impacting the Passive Identity Policy assigned to the Access-Control Policy. We are able to select the relevant AD Group in the rules that are required to have this set but the users never match the rule because of the Discovered Identity match
Anyone have any ideas how to resolve this?
09-08-2022 01:31 AM
@Steven van Jaarsveld I haven't had this exact requirement before....how about still using certificate authentication but send authorisation only to ISE? This would send the username extracted from the certificate, ISE would perform an AD lookup of the username and authorise the user. This would create a session in ISE, which is forwarded to the FMC/FTD.
09-08-2022 02:24 AM - edited 09-29-2022 01:29 AM
The Cisco Secure Firewall Management Center (FMC) is your administrative nerve center for managing critical Cisco network security solutions.
11-20-2023 02:34 PM
Did you ever find a resolution to this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide